On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell
<[email protected]> wrote:
>> Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS
>> attribute, and add the RADIUS attribute to raddb/dictionary (taking care to
>> note the comments about numbering i.e. pick a number from 3000-3999). Don't
>> re-use an existing attribute - many of the xxGroup attribute have "magic"
>> behaviour hooks.
>
> Phili is correct, but this will only work for something like AD, where you
> have memberOf attributes which link a user account to a group.
>
> This also doesn't really work if you want a group name, and the membership
> attributes specify a group DN, though it'd probably be pretty easy to figure
> out the group name later (you could even do it within unlang if you're using
> FR 3.0).
Thanks, we're using the memberof overlay, and that might be working.
First problem is that I need to rewrite the output from ldap to
something the radius-client finds useful. But there are radius modules
for rewriting things right?
Next problem seems to be that freeradius ignores when ldap is
returning more than one group, am I correct?
--
regards,
Robin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
